[plug] OT: latest worm affecting bind

[Christian]

On Thu, Mar 29, 2001 at 05:27:04PM +0800, Steve Vertigan wrote:
> Mike Holland wrote:
>  
> > I have the UDP dns port open for receiving replies, as in the HOWTO.
> > 
> >     # Accept DNS answers on privileged port.
> >     ipchains -A input -j ACCEPT -i ppp+ -d 0/0 53 -p udp
> > 
> > Is that safe? I closed it and bind still seems to work locally, presumably
> > getting replies back over a TCP connection that my end opened.
> > 
> > Why might I want the UDP port open, as given in the HOWTO example?
> 
> If I read that correctly you're allowing -incoming- connections to your
> port 53, not a good idea if you're running a vulnerable bind daemon. 
> Later versions of bind, when making an outgoing connection will make it
> on an unpriviledged port (ie 1024-65536ish) unless explicitly instructed
> to use port 53 which would be why you can still do dns lookups with that
> line removed.  To be thorough you could only allow incoming connection
> -from- port 53 and -to- an unpriviledged port although you probably want
> the unpriviledge ports open for other services.
 
Maybe I'm missing something really obvious but I think you're not
actually reading it correctly.  UDP is a connectionless protocol so he
can't possibly be allowing incoming connections.  If you want to receive
replies to DNS queries then you need to allow incoming UDP packets on
port 53.  You can tighten this down by only allowing them from your
upstream DNS servers (forwarders) or, if the machine in question *is*
those DNS servers, then only from UDP port 53.  This is a common way to
pierce firewalls though.  I seem to vaguely remember reading a possible
solution somewhere but can't think of it off the top of my head.
Another alternative could be using a stateful filter so you only allow
incoming 53/udp if you have previously sent out a DNS request to that
particular machine.


-- 
DSA 0x0EC1D28C: BBCB 0D79 4EBB 078A A066  7267 8BED E9D6 0EC1 D28C